git.ipfire.org Git - thirdparty/krb5.git/commit

author	Simo Sorce <simo@redhat.com>
	Tue, 20 Jan 2015 18:48:34 +0000 (13:48 -0500)
committer	Tom Yu <tlyu@mit.edu>
	Mon, 9 Feb 2015 23:14:07 +0000 (18:14 -0500)
commit	262eb56da6af3c674feaa8e48e8a8ed52d1eea1b
tree	1fb94a0e6e955f42afe19d79dd81ba8d9fa7a75d	tree \| snapshot
parent	62a4509028ae7c7cf00af38cde879428f03fe5e6	commit \| diff

Do not loop on principal unknown errors

If the canonicalize flag is set, the MIT KDC always return the client
principal when KRB5_KDC_ERR_C_PRICIPAL_UNKNOWN is returned.

Check that this is really a referral by testing that the returned
client realm differs from the requested one.

[ghudson@mit.edu: simplified and narrowed is_referral() contract.
Note that a WRONG_REALM response with e-data or FAST error padata
could now be passed through k5_preauth_tryagain() if it has an empty
crealm or a crealm equal to the requested client realm. Such a
response is unexpected in practice and there is nothing dangerous
about handling it this way.]

(cherry picked from commit d5755694b620570defeecee772def90a2733c6cc)

ticket: 8125 (new)
version_fixed: 1.12.3
status: resolved